If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Do public wifi hotspots offer anonymous surfing?

The proliferation of wifi hotspot locations may open up new possibilities for anonymous web surfing and mailing.

All email and webmail (hotmail, gmail, etc) messages and web forum posts reveal the IP address associated with the WAN connection through which the message is sent. It appears that ISPs such as Videotron, Bell, Rogers, etc, have the technical capability to trace a specific message or post back to their customer's true identity, by matching the IP address with the customer's account info.

ISP privacy policies offer some level of protection but I have seen several private investigators, advertising on the web, who claim they are capable of extracting the true identity of an ISP's customer from their IP address, even without a court order. I don't know if they bribe someone at the ISP, disguise themselves as LE, or if the ISP is just plain careless.

Anyway, I have come to think that the only way to surf or email anonymously is to use a public hotspot: at an Internet café, a public library, a university, etc., because then you are using that place's IP address, not your own. This is the modern equivalent of calling from a public payphone. The only way someone (LE, PI or whomever) could trace a message back to an individual would be if the hotspot or ISP logs not only the IP address, but also the device's (laptop, PDA, etc) MAC address. In that case, it would be possible to match a post or a message with a device, assuming one can get into that device (hack or steal it) to get its MAC address.

So, my questions to all the techies out there:

1) do ISPs or public hotspots log MAC addresses for every message or post?

2) Is there a windows command or another way to remotely obtain a device's MAC address?

But if you use a device that is registered in your name...or a device that you use regularly from a set IP address, this information might get passed along or saved somehow. You just never know what's being sent/saved anymore. Just saw a report that the FBI can turn on the microphone of your cell phone (even if you have the power turned off) and listen in on your conversation.

Only way to be truely anonymous is to have one of those phones that can surf the web from hotspots...and not have it registered or use it anywhere except those free hotspots.

But from what I understand from your post you have general anonymity concerns right?

Please understand that there are far greater things to worry about than your MAC address and any possible monitoring of it. In my opinion, MAC address logging is irrelevant and inconclusive. What would prevent you from getting a bunch of used Network cards or wifi cards and swap them intermittently or even successfully spoof the MAC? That alone doesn't do squat to make you anonymous and LE know that.

If you are posting on forums and sending emails you've logged into a system using your credentials. The moment you do so, you are in fact disclosing some part of your identity.
Even if you're using proxy servers, all this does in reality is make it harder to determine where you are in "real-time". Which is not as important as identifying WHO YOU ARE.

You might then say: "I use a freemail service"! To which I answer:

1) Have you ever sent an email to a friend from that service? ... its logged
2) Have you ever connected to the service from home or office? ... its logged

It would not be very hard for LE to get details about anyone frequenting these forums if they really needed to. All they need is a warrant. Very hard to get for light crimes like software piracy, music downloads, but mention terrorism, sex crimes,pedophiles,death threats,etc, and voila.

Private investigators don't even need to make so much of an effort. They are not bound by the same obligations and legalities as LE. Using social engineering tactics will in fact yield better and faster results.

A quick word about Hotspots,Internet cafés, hotels...

They are so INSECURE. In fact, they are loaded with trojans and keyloggers. I can tell you many horror stories if you want from security audits I've done in the past. Its fine if you're just browsing the net. But for goodness sakes... NEVER ENTER ANY CREDENTIALS IN THOSE SYSTEMS especially credit card information.

And if you haven't had you laptop audited or configured by someone who is security savvy... I wouldn't use it either. If you want details...ask and I'll explain.

Using a phone as an anonymizer... partially agree. Problem is new phones even have aGPS chips in them making it possible to track you when you disconnect from the Net. In some cases even when the phone is off... yup that is true. You need to remove the battery.

You could also find a used laptop, pay cash for it. Find some used network/wifi cards to swap. And like the phones, only use them for you hobbie surfing in remote locations... but as long as you don't log into any site. Just browse.

So my question is... what exactly do you want to protect yourself from? I'll answer to the best of my abilities.

Are you just worried about your hobby and LE ? Hell... I'd be more afraid of the wife lol

Cheers!

-N-

"I believe that sex is one of the most beautiful, natural, wholesome things that money can buy."
-- Steve Martin

Thanks neverbored... you answered the question that I've asked 20 times and never got an answer... so it's OK to surf through free WiFi hotspots but don't enter any passwords etc... becasue they can easily be picked up? Right?

I assume that the same would apply to unprotected private wifi? would it be correct to say probably not a problem but it could be...

If you had a new computer that you paid cash for in a store that had no CCTV cameras and no people that knew you...that`s a start.
The same thing with the WIFI spot. Cash, no cameras, no one one knows you and no spies...
Then if you move from WIFI to WIFI this way...
Never to go more than once....
With a random pattern covering a big territory...
And you disguise yourself...
Hide your car or use public transit without a smartcard...
And no cameras....
And if your paranoia is uncalled for because you are not really doing anything serious...

However if you are doing something serious none of these can protect you because you will set off a response to an alarm. And you may be in shackles within minutes.

I`m just guessing.
Anyway you should not be doing anything criminal anywhere & anyhow.

Thanks neverbored... you answered the question that I've asked 20 times and never got an answer... so it's OK to surf through free WiFi hotspots but don't enter any passwords etc... becasue they can easily be picked up? Right?

That is correct

Here is a sample of what a sniffed packed looks like using Wireshark. Which is a very simple application...launch and capture raw network packets.

Look just under the highlighted line.
This is what they mean by unencrypted packets on a network where authentication (username & password) is sent in clear text. The example is for FTP, but the same applies to any application that uses non-encrypted protocols. So basically, any webpage that doesn't have SSL encryption is passing your credentials in clear text just like the example...might want to rethink your password convention

Note: even SSL encryption can be hacked...

Originally Posted by Dee

I assume that the same would apply to unprotected private wifi? would it be correct to say probably not a problem but it could be...

The problem with using unprotected WiFi networks is that its illegal.
Legally speaking, the level of intrusion is the same as entering someones home to use the telephone without prior conscent. But because its there free-floating, people just think its ok to use it. This is not my opinion, nor do I aprove/condemn it... that's just the way it is.

Personally, I'd never use an open access point, especially to access personal stuff. The reason is simple... what if it was left open on purpose? There is such a thing as a "honeypot" in network security. And since you're not in control of what you're connecting to... who is to say that the person isn't attempting some type of malicious attack?

A typical honeypot would be to broadcast a WIFI SSID called "linksys".This is the default SSID for most out of the box Linksys routers. Without encryption or with WEP-128 encryption (crackable within 5-10 minutes guaranteed).
Let's say connected to the AP, is a small server that acts as a DNS, WEB, POP (mail) server. Take note, that there isn't even a need to have this setup actually connected to the internet.

A user connects to the AP, gets an IP address. And connects to the fake hotmail. He sees a page exactly like the real thing, enters his username and password and then some error.
Bingo, I now have his username and password.

Now imagine the same scenario but also serving an internet connection. People connect, surf, enter username & passwords.
I can now lock them out of any site they've been visiting by changing the password to their email, and then changing the password to all their registered sites.

Get it?

Now most of you would answer...bah who cares, I got nothing to hide or it dosen't concern me... And that's exactly the type of people blackhat hackers thrive on.
The less you care, the more risks you take. Till, that one day, you enter banking information or even worst...submit your taxes

Another trend in email password stealing is accessing your address list. If your dad, mom, son, daughter... sent you an email with an attachment, how often will you open that attachment blindly? What if its a virus that's isn't detectable yet? Now imagine the number of people this viruses can hit just with using your social network? Does 6 degrees of separation ring any bells? People that have MSN might have noticed this strategy in the last couple of months...Now imagine this with Facebook

Factor in the number of people that use the same username and password for all their sites...

So this might not be YOU... but statistically... its greater than 70% of everyone that will read this post. lol

Last edited by neverbored; 03-12-2009 at 02:48 AM.

"I believe that sex is one of the most beautiful, natural, wholesome things that money can buy."
-- Steve Martin

So my question is... what exactly do you want to protect yourself from? I'll answer to the best of my abilities.

Neverbored,

First of all, tks for your informative posts. I'm not worried about about LE. I intend to engage in some whisleblowing and I'm concerned that the object will have his corporate security or a PI on my case within minutes.

Originally Posted by neverbored

Private investigators don't even need to make so much of an effort. They are not bound by the same obligations and legalities as LE. Using social engineering tactics will in fact yield better and faster results.

Can you explain what you mean by social engineering tactics? Obviously, I am lay to your trade!

Can you explain what you mean by social engineering tactics? Obviously, I am lay to your trade!

In IT security, no matter how effective your security policies are the weakest link will always be the human users. The is the foundation of Social Engineering. In other words: its easier to hack a person than it is to hack a system. One of the most notorious hackers in our time (Kevin Mitnik) has published a few bestsellers on this very subject.

The number of people Today that still use passwords such as: 1234, telephone numbers, address number, special dates, wife's name, childrens name & combination of both still account for 80% of people's passwords.

If its not written directly on the screen or under the keyboard its easy to initiate a "social attack" by engaging people (weak links) that may have access to these details. Let's face it most people like to talk... and like to show just how much they are valuable and how much they know (secretaries are prime targets).

Via simple conversation its easy to classify a target within various psychological groups. The ideal being:

Q: You been working here long?
Establish: Older women that have been there for many years.

Q: My mom was a secretary also...I'll bet he's very lucky to have you!
Establish: Human connection. A little irritated to see the success of their bosses, thinking that without them they never would have been able to tie their shoes... feel under appreciated.

Q: One day, I too will be successful... and hopefully have someone as efficient as you... would be nice for someone to remind me of things, cause I'm a man (insert fake laugh)
Establish: I'm an idiot & they know every detail of their bosses lives (wife's name, children name, birthdays, etc.) let them talk because they will.

This is a generalization... but you get the idea.

People have an inherent need to share what they know. Hell look at online forums... look at this very post. I surely fit some psych profile nicely.

I recall this one case, not too long ago, where a guy walked straight into the H&Rs office with a new 24" lcd monitor. Installed it, along with a keylogger and left. The excuse: management thought you'd appreciate this gift! lol 5 minutes it took him.

Just go to any happy hour and sit next to corporate looking people. The amount of confidential information they talk loudly about is simply astonishing. I've often heard people talking about their own passwords...

These techniques have often been used by con-men and private investigators.

Just ridiculous... but it works lol

-n-

"I believe that sex is one of the most beautiful, natural, wholesome things that money can buy."
-- Steve Martin